X-Git-Url: http://git.heureux-cyclage.org/?a=blobdiff_plain;f=img_auth.php;h=f23de4f4703f71f63580735954eca7a728116b5b;hb=d912ae39113edf613ad47e30272d2eea68ef204d;hp=0a209e98b42464064adaf44049958004a5288752;hpb=0f24b13ea03a7226bd7b9f0d84f4deee8bea0736;p=lhc%2Fweb%2Fwiklou.git diff --git a/img_auth.php b/img_auth.php index 0a209e98b4..f23de4f470 100644 --- a/img_auth.php +++ b/img_auth.php @@ -39,6 +39,7 @@ */ define( 'MW_NO_OUTPUT_COMPRESSION', 1 ); +define( 'MW_ENTRY_POINT', 'img_auth' ); require __DIR__ . '/includes/WebStart.php'; # Set action base paths so that WebRequest::getPathInfo() @@ -53,9 +54,10 @@ $mediawiki->doPostOutputShutdown( 'fast' ); function wfImageAuthMain() { global $wgImgAuthUrlPathMap; + $permissionManager = \MediaWiki\MediaWikiServices::getInstance()->getPermissionManager(); $request = RequestContext::getMain()->getRequest(); - $publicWiki = in_array( 'read', User::getGroupPermissions( [ '*' ] ), true ); + $publicWiki = in_array( 'read', $permissionManager->getGroupPermissions( [ '*' ] ), true ); // Get the requested file path (source file or thumbnail) $matches = WebRequest::getPathInfo(); @@ -79,6 +81,8 @@ function wfImageAuthMain() { return; } + $user = RequestContext::getMain()->getUser(); + // Various extensions may have their own backends that need access. // Check if there is a special backend and storage base path for this file. foreach ( $wgImgAuthUrlPathMap as $prefix => $storageDir ) { @@ -87,7 +91,7 @@ function wfImageAuthMain() { $be = FileBackendGroup::singleton()->backendFromPath( $storageDir ); $filename = $storageDir . substr( $path, strlen( $prefix ) ); // strip prefix // Check basic user authorization - if ( !RequestContext::getMain()->getUser()->isAllowed( 'read' ) ) { + if ( !$user->isAllowed( 'read' ) ) { wfForbidden( 'img-auth-accessdenied', 'img-auth-noread', $path ); return; } @@ -136,12 +140,13 @@ function wfImageAuthMain() { $headers = []; // extra HTTP headers to send + $title = Title::makeTitleSafe( NS_FILE, $name ); + if ( !$publicWiki ) { // For private wikis, run extra auth checks and set cache control headers - $headers[] = 'Cache-Control: private'; - $headers[] = 'Vary: Cookie'; + $headers['Cache-Control'] = 'private'; + $headers['Vary'] = 'Cookie'; - $title = Title::makeTitleSafe( NS_FILE, $name ); if ( !$title instanceof Title ) { // files have valid titles wfForbidden( 'img-auth-accessdenied', 'img-auth-badtitle', $name ); return; @@ -157,27 +162,31 @@ function wfImageAuthMain() { // Check user authorization for this title // Checks Whitelist too - if ( !$title->userCan( 'read' ) ) { + + if ( !$permissionManager->userCan( 'read', $user, $title ) ) { wfForbidden( 'img-auth-accessdenied', 'img-auth-noread', $name ); return; } } - $options = []; // HTTP header options if ( isset( $_SERVER['HTTP_RANGE'] ) ) { - $options['range'] = $_SERVER['HTTP_RANGE']; + $headers['Range'] = $_SERVER['HTTP_RANGE']; } if ( isset( $_SERVER['HTTP_IF_MODIFIED_SINCE'] ) ) { - $options['if-modified-since'] = $_SERVER['HTTP_IF_MODIFIED_SINCE']; + $headers['If-Modified-Since'] = $_SERVER['HTTP_IF_MODIFIED_SINCE']; } if ( $request->getCheck( 'download' ) ) { - $headers[] = 'Content-Disposition: attachment'; + $headers['Content-Disposition'] = 'attachment'; } + // Allow modification of headers before streaming a file + Hooks::run( 'ImgAuthModifyHeaders', [ $title->getTitleValue(), &$headers ] ); + // Stream the requested file + list( $headers, $options ) = HTTPFileStreamer::preprocessHeaders( $headers ); wfDebugLog( 'img_auth', "Streaming `" . $filename . "`." ); - $repo->streamFile( $filename, $headers, $options ); + $repo->streamFileWithStatus( $filename, $headers, $options ); } /**